Security vendors not up to rooting out rootkits

Rootkits are becoming one of the most widespread forms of malware on the Internet, according to Finnish security company F-Secure, and are now even being used to make adware more difficult to remove.

The boom in rootkits has come as a surprise to anti-virus companies, according to F-Secure. The major security firms - Symantec, McAfee and Trend Micro - don't yet offer software designed to detect this form of malware.

Rootkits are designed to conceal running processes, files and system data, and have traditionally been used by attackers to conceal their activities from system administrators. For example, an intruder could break into a system and run a FTP server there without an administrator being able to see what was going on, even if he were specifically looking for such activity.

"Rootkits can be detected just like any other malware as long as they are not running," said Mikko Hypponen, manager of anti-virus research at F-Secure. "But if it has a chance to run... after that moment none of the anti-virus programs can find it. The only technologies that can find malware like that are rootkit-specific detectors." F-Secure's Blacklight scanner is one such detector; Microsoft is also offering an anti-rootkit system.

Related

Microsoft said earlier this week that rootkits accounted for more than 20 percent of the malware removed from Windows XP systems running Service Pack 2, according to a report in industry journal eWeek.

Reports gathered from users of F-Secure's Blacklight tool confirm the trend, and add that the most common rootkit since October has been found in a spyware program called Apropos. The program, spread by a company called ContextPlus, collects browsing habits and sends them back to the ContextPlus server, while displaying targeted pop-up ads.

The program contains a kernel-mode rootkit that hides files, directories, registry keys and processes, according to F-Secure's analysis. The function of this rootkit is purely to make the program difficult for security programs to detect and remove, said Hypponen - the program isn't hidden from the user, who knows it is there by the presence of constant pop-up ads.

The spread of rootkits to worms and spyware was perhaps inevitable, but has only happened this year because rootkits are so difficult to program, Hypponen said.

"Stealth viruses used to be such a big problem in DOS, so why was there a silence of 10 years before they became a problem with Windows?" he said. "It is more difficult to write kernel-level hiding techniques in 32-bit Windows, it simply is hard. Few people had these skills. Now it seems those people have shared their knowledge."

One factor behind the boom in rootkits is the availability of simple, ready-to-use software such as the open-source FU, one of the most common detected by Microsoft's removal tool. "FU is a very simple rootkit to cut-and-paste into worms and bots," said Hypponen in an analysis on Wednesday. The program only hides processes, not files or registry keys.

But not everyone is using such simple tools - Apropos, for example, appears to use a highly sophisticated, custom-made rootkit, Hypponen said. One of its advanced properties is the ability to disguise itself, appearing differently each time it is downloaded. "Try detecting that with an anti-virus scanner," Hypponen said.

Rootkits are not just being used to hide conventional worms and spyware, they are also part of a trend over the past six months away from large-scale worm outbreaks towards smaller, more professional attacks aimed at stealing specific data from companies or consumers, according to F-Secure.

Hacker Defender, one of the top rootkits detected by Microsoft, is also one of the most dangerous as it is used by professionals compromising corporate servers, F-Secure said.

"Despite the infection numbers of HacDef (being) most likely much below those of FU, these infections are usually far more serious," said Hypponen in a written report.